网络科技

    今日:870| 主题:244697
收藏本版
互联网、科技极客的综合动态。

[其他] Review Your Cross-Scripting Defenses with 2 New Google Tools

[复制链接]
雨后云初霁 发表于 2016-10-3 15:42:17
153 11

立即注册CoLaBug.com会员,免费获得投稿人的专业资料,享用更多功能,玩转个人品牌!

您需要 登录 才可以下载或查看,没有帐号?立即注册

x
WordPress, the most popular content management system of all time, is used by 59.3 percent of all websites based on content management systems. As of Sept. 29, this represents 26.7 percent of all websites on the web. Being a modern, flexible and efficient content management system, WordPress is the tool of choice for many users around the world. Of course, popularity comes with a cost.
   
Review Your Cross-Scripting Defenses with 2 New Google Tools-1 (popularity,especially,represents,management,WordPress)

    If you skip on security essentials , especially those outlined here , your WordPress installation could be impacted by one of the 5,237 WordPress core, plugin and theme vulnerabilities that we know about. It would be wise to run a search here , and see if your site is using one of the vulnerable plugins or themes.
    One of the most common attacks is cross-site scripting. Sixty percent of payouts under Google’s Vulnerability Reward Program are awarded to researcher discovering XSS vulnerabilities. A search on the WordPress vulnerabilities database reveals that there are more than 1,000 instances of cross-site scripting.
    Cross-site scriptingis a bug, typically found in web applications, which allows the addition of malicious JavaScript code onto HTML pages displayed to your visitors. Once executed by the victim’s browser, this code will alter the behavior or appearance of the website, potentially compromising private data, or will perform actions on behalf of the user. Some of the results of a successful XSS attack are watering hole attacks , malicious advertising campaigns and drive-by attacks. The latter are particularly dangerous since the mere act of opening the affected web page may have severe consequences for your user. Extensive documentation on the vulnerability can be found here .
    To mitigate an XSS attack, web developers are implementing content security policies. Initially named Content Restrictions, CSP is a computer security standard, currently a Candidate Recommendation of the W3C working group on Web Application Security, supported by most modern web browsers. Firefox 4 was the first browser to adopt the standard. CSP provides a standard method for web developers to declare sanctioned origins of content that browsers are allowed to load on a particular website. CSP is a flexible tool allowing developers to implement content policies regarding CSS, JavaScript, web workers, fonts, images and many other HTML5 features.
    However, the flexibility of CSP is also its biggest problem. In a recent Internet-wide study , Google analyzed 100 billion pages from over 1 billion hostnames and identified CSP deployments on 1,680,867 hosts with 26,011 unique CSP policies. Ninety-five percent of the deployed CSP policies were ineffective in protecting against XSS, mainly because of developers loading external scripts from domains exposed to patterns which allow attackers to bypass CSP protections, or developers implementing CSP policies which allow inline scripts (script-src ‘unsafe-inline’).
    “One of the underlying reasons is that out of the 15 domains most commonly whitelisted by developers for loading external scripts as many as 14 expose patterns which allow attackers to bypass CSP protections.” – CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy, Google 2016
    To assist developers in deploying effective CSPs, Google introduced two tools to evaluate the viability of particular CSP policies:
   
       
  • CSP Evaluator : Gives developers a practical oversight of the effects of setting a policy.   
  • CSP Mitigator : A Chrome extension which will assist developer in CSP deployment. CSP Mitigator is a step forward in eliminating traditional CSP policies based on URL whitelists and implementing CSP3 policies based on cryptographic nonces. Supported by Chrome and Opera (and soon by Firefox), it’s time to benefit from the extra protection a nonces based policies provides.   
   In conclusion, there are two scenarios when a CSP policy is not necessary:
   
       
  • For a static application, hosted on an individual domain.   
  • For applications known to be vulnerable to XSS. Reviewing the code or adopting a safer framework should do the trick.   

友荐云推荐




上一篇:全球互联网的新“波澜”:美国正式交出域名管理权
下一篇:Ericsson’s patent pool is far from the new start the IoT needs
酷辣虫提示酷辣虫禁止发表任何与中华人民共和国法律有抵触的内容!所有内容由用户发布,并不代表酷辣虫的观点,酷辣虫无法对用户发布内容真实性提供任何的保证,请自行验证并承担风险与后果。如您有版权、违规等问题,请通过"联系我们"或"违规举报"告知我们处理。

00001111 发表于 2016-10-3 16:48:42
下辈子要做男生,娶一个像我这样的女生。
回复 支持 反对

使用道具 举报

千兰 发表于 2016-10-4 05:58:42
围观 围观 沙发在哪里!!!
回复 支持 反对

使用道具 举报

ygiun 发表于 2016-10-4 06:17:45
绘一场生死契阔的游戏,为我们的故事写一个结局。
回复 支持 反对

使用道具 举报

奔跑吧兄弟 发表于 2016-10-4 06:17:47
逆袭成功。。。。。。
回复 支持 反对

使用道具 举报

gaofei111111 发表于 2016-10-4 06:17:49
顶顶更健康
回复 支持 反对

使用道具 举报

jimwg 发表于 2016-10-5 04:46:08
人是帖,饭是钢,一天不回,心慌慌
回复 支持 反对

使用道具 举报

111111111 发表于 2016-10-5 05:00:30
这次必须是沙发!
回复 支持 反对

使用道具 举报

亚玛网铺 发表于 2016-10-11 15:47:23
我若安好,便是晴天。
回复 支持 反对

使用道具 举报

xiangyu5412 发表于 2016-11-6 20:42:35
元芳你怎么看?
回复 支持 反对

使用道具 举报

*滑动验证:
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

我要投稿

推荐阅读

扫码访问 @iTTTTT瑞翔 的微博
回页顶回复上一篇下一篇回列表手机版
手机版/CoLaBug.com ( 粤ICP备05003221号 | 文网文[2010]257号 )|网站地图 酷辣虫

© 2001-2016 Comsenz Inc. Design: Dean. DiscuzFans.

返回顶部 返回列表